sqlmap icon indicating copy to clipboard operation
sqlmap copied to clipboard

Published 20 hours ago verified publisher icon sqlmapproject

unable to retrive table/column names after getting database type and name in webgoat: sql injection (advanced)_Assigment 5

Open James-Lu-none opened this issue 1 year ago • 4 comments

Describe the bug i was able to get the database type = "HSQLDB" and database name = "PUBLIC" by using --current-db, but when i trying to retrive the table/column names further using common-tables/columns, it says that no table(s)/column(s) found. i have cheated and checked the source code to get the table/column names and comfirmed so of the names that webgoat are using is in the provided common-table(s)/column(s).

To Reproduce

  1. Run 'sqlmap -r D:\projects\cyberSecurityProjects\note\injection\SQLInjection(advenced)\requests\register.txt -proxy http://127.0.0.1:8081 --string "please try to register with a different username" -p username_reg' to get database type "HSQLDB 1.7.2"
  2. Run 'sqlmap -r D:\projects\cyberSecurityProjects\note\injection\SQLInjection(advenced)\requests\register.txt -proxy http://127.0.0.1:8081 -p username_reg --dbms="HSQLDB" --technique=B -D public --tables --level=5 --risk=3' receives no table(s) found
  3. Run 'sqlmap -r D:\projects\cyberSecurityProjects\note\injection\SQLInjection(advenced)\requests\register.txt -proxy http://127.0.0.1:8081 -p username_reg --dbms="HSQLDB" --technique=B -D public -T sql_challenge_users --columns --level=5 --risk=3' receives no column(s) found

Expected behavior i followed a guide from here: https://pvxs.medium.com/webgoat-sql-injection-advanced-5-20ce63bf4aec and i expect to get some same or similar results he got.

Screenshots target table (from source code) image unable to get table names image unable to get column names image

Running environment:

  • sqlmap version 1.8#pip
  • Installation method pip
  • Operating system: Microsoft Windows 11
  • Python version 3.11.7

Target details:

  • DBMS: HSQLDB
  • SQLi techniques found by sqlmap: boolean-based blind

Additional context Add any other context about the problem here.

James-Lu-none avatar Jan 28 '24 06:01 James-Lu-none

maybe it is case-sensitive. try to use -D PUBLIC. if that works, i can easily upper case it automatically

stamparm avatar Feb 05 '24 11:02 stamparm

image

stamparm avatar Feb 05 '24 11:02 stamparm

maybe it is case-sensitive. try to use -D PUBLIC. if that works, i can easily upper case it automatically

yeah i tried that, it still shows the same thing.

James-Lu-none avatar Feb 07 '24 03:02 James-Lu-none

do you have some errors? can you run with -t traffic.txt and report back?

stamparm avatar Feb 08 '24 08:02 stamparm